Everything visible. 
Everything secure. 


DevSecOps — How to build continuous security 
into IT and App Infrastructures 
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DevOps, CI/CD and other cool terms 


Where two worlds collide (DevOps vs 
SecOps) 


Continuous Security / Integrated Security 
(DevSecOps) look like 


Shift Left Security & Approaches 

A business case for DevSecOps 
Applying DevOps security into practice 
Qualys DevSecOps Solutions 
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Waterfall vs. Agile Dev Methodologies 
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DevOps brings significant benefits, however it's complex 
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Traditional Security in a DevOps World 
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A bolt-on approach to security will also lead to 
failure 


Development Operations 
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Security Security 


Baked-in 
Security & 
not-Bolted 
on 


1. Integrated and 
transparent as possible 


2. Simple to operate even 
for non-security 
professionals 


3. Easily to adapt to new 
challenges 


Source: http://www foodengineeringmag.com/articles/88990-tech-update-metal-detection-xray-inspection- 
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Shift Left Security - Continuous Security 
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Continuous Integrated Security 
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DevOps & SecOps need to be aligned in key areas 


Processes Integrated Process 
(Scrum, Agile) (via DevOps 
process) 
Integration & Automated 
Automation Security 


(CI/CD pipeline, 


(CI/CD, test-driven 
audit and verify) 
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Self-Service 
Tools & — : d security tools for 
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Shift Left approaches for DevOps 


Shift Left Approaches 


Shift Time + Shift Techniques 4- Shift Tools 


Shift security earlier into the Apply new techniques to help Use new and existing tools in 
DevOps cycle integrate security as opposite to different ways to support 
bolting on DevOps projects 


Its not about doing the same things earlier, but an opportunity to do different 
and better things earlier 
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Shifting Time 


New agile DevOps 
build web app sprints 


Apply Technique 


Vulnerabilities are 
found & fixed in same 
release cadence 


Automated 
regression & test- 
driven development 


Apply Technique 


Automated 
regression finds 
patch issues faster 


Use containers to 
abstract apps from 
OS 


Apply Technique 


OS vulnerabilities are 
patched separately 
from Apps 
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Shifting Time 


Traditional Applications DevSecOps Applications 
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Shifting Techniques 


Tag vulnerable Vulnerabilities are Open vulnerabilities 
libraries in source treated the same as reported to business 
control systems software defects owners 


Apply Technique Apply Technique Apply Technique 


Prevent application Create a contract Long held open 

builds that use between IT & Security vulnerabilities escalated 

vulnerable code to facilitate integrated to senior (CxO) 
workflows 


management 
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Shifting Tools 
© 


Shift Tools 


Multiple web apps in 
both dev and 
production 


Apply Technique 


Integrate the production 
web app security 
assessment tool into 
DevOps processes via API 


Shift Tools 


Keep track of security 
assessments issues 
in the same way as 
software bugs 


Apply Technique 


Automatically create 
trouble tickets to fix 
security issues using the 
same systems 


Shift Tools 


Prevent security 
issues in production 
from becoming a 
large problem 


Apply Technique 


Continuously assess web 
apps in both dev and 
production so issues are 
not re-introduced 
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Shift Left Security reduces overall costs 


PLAN) CODE > TEST > RELEASE > PACKAGE > DEPLOY > OPERATE > MONITOR 2 
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DevSecOps: The Business Case for Security 
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Applying DevSecOps into practice 
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Qualys Solutions 


SECURING 
THE WEB APP 
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How does Qualys play its part in DevSecOps 
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Use Case: Container Security across DevOps 
pipeline 


Pre-Deployment Phase 


Post-Deployment Phase 
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Runtime 
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File Integrity 
Monitoring 


Endpoint 
Detection & 
Response 


© 
0€ 


Web Application 
Scanning 


Vulnerability 
Management 


Policy Compliance (Incl 
Secure Configuration 
Assessment) 


Cloud Security 
Assessments 
Qualys. 
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